Thank you very much for the link to the upcoming 3.0.6 release.
I've mailed you a logfile and three .pcaps of an ipsec session.
Seems like the VBox-NAT engine does currently not forward the NONESP-encap packets on port 4500/udp.

In addition to that I tried every hardware type which Virtualbox provides to rule out driver dependencies on the guest operation system but to no avail.
After analyzing the pcaps made this morning, I saw that the missing UDP-packets are fragmented.

The NONESP-Packet is split into two fragments according to the MTU of the 'nat'ed interface of the guest.
None of the fragments show up on the host interface. Don't know whether this finding is directly related to this issue though.

Like i said at 2009-09-08 07:17:03: I switched through every available hardware to check whether a driver problem is in question.
I made a pcap of all sessions involved in this driver switch.
All pcaps had the same pattern: The fragmented NONESP on 4500/udp did not get through the NAT layer.
The sourcecode on the changeset query is recent and all the same over the different flavours of VirtualBox?
I saw some interesting debugging hooks lurking around there and I wonder whether they are compile time only.

In received pcap files I observed that IKE_AUTH, indeed not fully forwarded to guest. I've updated VBoxDD.so.4801.exp bits
to log socket operation and latter fragmentation, to detect at which steps the corruption is happens. I'd appreciate if you collect pcap files with the logs like we did it before.
Thank you for cooperation.

Just tested the binary.
IPSEC in a NAT'ed guest works like a charm and out of the box now using this VBoxDD.so.4801.
md5sum (for the record) of it is :
60ea1d7d8ce6e03c016b48b8e25055eb VBoxDD.so
Thank you very very much for your hard and eager work on this issue.

Just tested the binary.
IPSEC in a NAT'ed guest works like a charm and out of the box now using this VBoxDD.so.4801.
md5sum (for the record) of it is :
60ea1d7d8ce6e03c016b48b8e25055eb VBoxDD.so
Thank you very very much for your hard and eager work on this issue.

Release-binary installs without any glitches atop 3.0.6 production.
IPSEC via NAT works right out of the box.
You guys - and especially hachiman - did a pretty good job!
Thanks a lot and all the best wishes!